Hey security managers, go hire some marketing people for your team

This is not a plea for organisations to start actively hiring people away from vendor product marketing teams. But if you want to look for people to point the finger at and explain why you aren't getting the budget required to actually secure your environment, product marketing is a good place to start.

There were 2 key messages attendees should have taken away from the Gartner Security & Risk Management Summit in Sydney a few weeks ago:

1. Security priorities tend to be set based on the threat du jour and audit findings.
2. Security teams need to get better at marketing.

Here's the problem:

1. Sensationalist headlines sell stories, which attracts more advertisers. This means the threat du jour will get the most airtime.
2. People who hold the keys to budgets read headlines, which perpetuates the problem.
3. Product marketing teams know this. So, to get more inbound traffic to their websites, the content creation and PR teams craft "stories" and "messages" around the threat du jour.
4. Publications notice that vendor messages are in line with their stories, which fuels the hype.

It's like how seeing something on fire makes us think about checking whether our insurance covers fire damage. Meanwhile, the front gate's been broken for the past week but we've left it alone because no one's stolen anything from the house yet.

How can an internal marketing campaign driven by the security team help? You won't be able to stop the hype that builds up around the threat du jour. But as an internal team, you should know what the organisation you work for really cares about in business terms. Take audit findings as an example. While rather boring, translate audit findings into tangible, financial implications for the business and you suddenly have something worth talking about as an overall program instead of a checkbox to tick (which is unfortunately how a lot of internal security budgets get signed off).

As a starting point, take a look at my tongue-in-cheek post about contributed articles. While laced with sarcasm, the structure of my "meaningless contributed article" template works (because it's a structure many are subconsciously used to) if the content holds up. Ensure you have the following points covered:

• Detail the industry trends that are affecting the organisation.
• What are independent sources (both internally and externally) saying about them?
• Why should the business care (don't use technical terms)?
• Outline some meaningful metrics (an interesting metric does not necessarily mean it's useful - ask yourself if anyone in the organisation will care).
• What does it mean in financial terms for the business if something is not done?
• What have other organisations done to solve the problem?
• What are the steps the organisation you work for need to take and what are the benefits (again, don't use technical terms)?

The mistake many of us make is in thinking marketing is easy; it's not. And it takes good marketing to sell security internally. Crafting an article can help hone in on what really matters and justify budget allocation, which makes it easier to ignore the noise.

Great marketing focuses on what matters by simplifying the messages and communicating the value, be it emotional or financial. This is what most security teams do not know how to do, which is why budgets are not allocated to fix that lock on the front gate. Instead, budgets are spent on fire insurance.

I know this is ironic coming from me as I work for a security vendor. But if security teams hired marketers to communicate the things that matter to an organisation's security instead of the threat du jour, we as an industry will benefit from it.

As an aside, ever notice how many security companies have the word "fire" in their name?

How to spot a meaningless contributed article

What is a contributed article? They're the ones where the author works for a vendor or solution provider and not the publication. In other words, their day job is not as a journalist. I'm speaking from first hand experience as I've written a number for various publications and understand the process.

Contributed articles do not typically involve any form of payment. When they do, reputable publications will disclose this fact. More commonly, they are freely given to a publication based on a brief that was provided. For example, a publication may say they are interested in a contributed article about a new smartphone's features and the implications on digital security. A vendor's marketing and public relations team will then work with a subject matter expert (SME) on crafting such an article for submission. Of course, if the SME isn't really one, then nothing will save the article.

Naturally, the process results in content of varying quality. The worst ones are typically not written by the individual, but ghost-written by someone else (usually without sufficient domain expertise). The vendor spokesperson/SME simply gets the byline. These end up sounding generic and the reader learns nothing.

More commonly, the resulting article is an equal and collaborative effort between everyone involved. While this is marginally better, it still sounds unauthentic, somewhat generic and provides little value. Why? They keyword here is "equal". The SME needs to be the main contributor instead of simply providing their equal share of input.

The best contributed articles are the ones written by someone:

1. With the necessary domain expertise.
2. That knows how to write.
3. That has the time to do it.
4. Willing to allow an editor/reviewer to run their virtual red pens through it without getting offended.
5. That is not blatantly trying to sell something.

Unfortunately, contributed articles tend to be mediocre or just terrible and that is a real shame, because there are lots of really smart people that could produce great content (with some help and editing) if they weren't under corporate pressure to be 100% "on message". The art of course, is to be "on message" subtly while still being able to contribute to the conversation in a meaningful way.

So how do you spot a meaningless contributed article? They usually look like this...

Meaningless headline that was put here for click-baiting purposes

You know that issue that's been in the news this week? And that other bit of similar news from last week? Oh, and those other countless ones from the past few months? They're only going to get worse because of buzzword 1, buzzword 2 and buzzword 3. Oh, don't forget about buzzword 4.

That large analyst firm, their biggest competitor and that other one that tries really hard to be heard all agree. Here's some meaningless statistic and a bunch of percentages from these analyst firms that prove what I'm saying in the previous paragraph is right. I'm adding some independent viewpoints here people, so it's not just about what I'm saying, even though it is.

So what to do about all this? You should be really worried about solving the problem you may or may not have had but now that I've pointed it out, you definitely have it. You aren't sure? Well, then listen to this.

Here's an anecdote I may or may not have made up about some organisation that shall remain nameless but is in a relevant industry relating to what I'm trying to sell you, oh wait, that I'm providing advice on because you've got this really big issue that you're trying to solve but just don't know you need to solve it yet but will do once you've read this.

So how do you solve your problem? Well, the company I work for happens to have a solution for this problem that you've now got. I won't be so blatant as to tell you this, but you will no doubt look me or my company up that search engine thing and see what we do and put it all together and then contact our sales team who will then sell it to you so I can get paid.

Here is another anecdote I may or may not have made up about how an organisation has solved the issues I've so clearly laid out for you that can so easily be solved, as shown by this very real (or fictitious, nameless) organisation.

My word-limit is almost up so I'll tell you what I've already told you but just in a slightly different way. In conclusion, you're screwed unless you solve this really generic issue with the silver bullet that organisation x used. So, buy my stuff.

I'm not saying every article with these characteristics is terrible. But very often, the "I have a hammer to sell, so everything is a nail" articles are structured this way. They are generic and leave the reader with the feeling that they just read a bunch of random words. I for one, stop reading an article when it starts to smell like this.

Note:
For the record, I NEVER allowed my articles to be ghost-written, much to the frustration of the people managing the whole process. The problem this introduced was that content could not be churned out as quickly because I became the bottleneck. I wouldn't even agree to have someone else start the article for me. I had to start it from scratch and have final approval on it (once my drafts were run past a set of editors and reviewers of course). This made for more authentic, balanced content while still maintaining some level of being "on message", which kept marketing happy.